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CLAIMS 



We claim: 

1 . A method for modifying entries in an Identity System, comprising the 
5 steps of: 

creating a first entry for said Identity System, said first entry includes a first 
set of attributes based on a first set of one or more classes; and 

removing a subset of said first set of attributes from said entry after said step 
of creating said first entry. 

10 

2. A method according to claim 1, wherein: 

said first set of one or more classes includes a structural class and a first set of 
one or more auxiliary classes. 



15 3. A method according to claim 1, wherein: 

said step of removing includes a step of removing one or more auxiliary 
classes from said entry, said one or more auxiliary classes are associated with said 
subset of said first set of attributes. 



20 4. A method according to claim 3, wherein said step of removing one or 

more auxiliary classes from said entry includes the steps of: 

removing a first auxiliary class associated with said subset of said first set of 
attributes; and 

removing auxiliary classes that are superior to said first auxiliary class and that 
25 are not superior to any auxiliary classes that remain part of said entry. 

5. A method according to claim 3, wherein: 

said subset of said first set of attributes includes data stored in said attributes; 

and 

30 said step of removing a subset of said first set of attributes includes removing 

said data. 
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6. A method according to claim 1, wherein said step of removing a 
subset of said first set of attributes includes the steps of: 

identifying a set of auxiliary classes in a user interface; 

receiving a selection of one or more of said auxiliary classes via said user 
5 interface; and 

removing said selected one or more of said auxiliary classes. 

7. A method according to claim I, wherein said step of removing a 
subset of said first set of attributes includes the steps of: 

10 identifying a set of attributes in a user interface; 

O receiving a selection of said subset of said first set of attributes via said user 

,jS interface; and 

;:1 removing said subset of said first set of attributes from said entry. 

S 15 8. A method according to claim 1, further comprising the step of: 

j" „ adding new attributes to said entry after said step of creating. 

Pi 9. A method according to claim 8, wherein: 

f* said step of adding new attributes includes adding one or more auxiliary 

ijifSSS 

20 classes associated with said new attributes to said entry. 

10. A method according to claim 8, wherein said step of adding new 
attributes includes the steps of: 

adding one or more auxiliary classes associated with said new attributes to 
25 said entry; and 

adding classes to said entry that are not already part of said entry and are 
superior to said one or more auxiliary classes associated with said new attributes. 

11. A method according to claim 8, wherein said step of adding new 
30 attributes includes the steps of: 

identifying a set of auxiliary classes in a user interface; 

receiving a selection of one or more of said auxiliary classes via said user 
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interface; and 

adding said selected one or more of said auxiliary classes. 



12. A method according to claim 8, wherein said step of removing a 
5 subset of said first set of attributes includes the steps of: 

identifying a set of attributes in a user interface; 
receiving a selection of said new attributes via said user interface; and 
adding one or more auxiliary classes associated with said new attributes to 
said entry. 

10 

13. A method according to claim 8, wherein: 

said steps of creating, adding and removing are performed by an integrated 
identity and access system; and 

said an integrated identity and access system is capable of evaluating said new 
15 attributes to authorize a user to access a resource. 



14. A method according to claim 8, wherein: 
said entry is a group entry; and 

at least one of said new attributes stores a rule defining dynamic membership 
20 for said group entry. 

15. A method according to claim 8, wherein: 
said entry is a group entry; and 

at least one of said new attributes stores a subscription policy for said group 

25 entry. 



16. A method according to claim 1, wherein: 

said steps of creating and removing are performed by an integrated identity 
and access system. 

30 

17. A method according to claim 1 , wherein: 
said entry is a group object; and 
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said step of creating includes instantiating said group object. 

18. A method according to claim 1 7, wherein: 

said step of removing includes a step of removing one or more auxiliary 
5 classes from said group object, said one or more auxiliary classes are associated with 
said subset of said first set of attributes. 

19. A method according to claim 18 wherein said step of removing one or 
more auxiliary classes from said group object includes the steps of: 

removing a first auxiliary class associated with said subset of said first set of 
attributes; and 

removing classes that are superior to said first auxiliary class and that are not 
superior to any auxiliary classes that remain part of said entry. 

20. A method according to claim 17, further comprising the step of: 
adding new attributes to said entry after said step of creating, said step of 

adding new attributes includes adding one or more auxiliary classes associated with 
said new attributes to said entry. 

21. A method according to claim 1 7, wherein: 
said group object is stored in an LDAP directory. 

22. One or more processor readable storage devices having processor 
readable code embodied on said processor readable storage devices, said processor 

25 readable code for programming one or more processors to perform a method 
comprising the steps of: 

creating a first entry for said Identity System, said first entry includes a first 
set of attributes based on a first set of one or more classes; and 

removing a subset of said first set of attributes from said entry after said step 
30 of creating said first entry. 

23. One or more processor readable storage devices according to claim 22, 
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wherein: 

said step of removing includes a step of removing one or more auxiliary 
classes from said entry, said one or more auxiliary classes are associated with said 
subset of said first set of attributes. 

24. One or more processor readable storage devices according to claim 23, 
wherein said step of removing one or more auxiliary classes from said entry includes 
the steps of: 

removing a first auxiliary class associated with said subset of said first set of 
attributes; and 

removing classes that are superior to said first auxiliary class and that are not 
superior to any auxiliary classes that remain part of said entry. 

25. One or more processor readable storage devices according to claim 22, 
wherein said method further comprises the step of: 

adding new attributes to said entry after said step of creating, said step of 
adding new attributes includes adding one or more auxiliary classes associated with 
said new attributes to said entry. 

26. One or more processor readable storage devices according to claim 25, 
wherein said step of adding new attributes includes the steps of: 

adding one or more auxiliary classes associated with said new attributes to 
said entry; and 

adding classes to said entry that are not already part of said entry and are 
superior to said one or more auxiliary classes associated with said new attributes. 

27. One or more processor readable storage devices according to claim 22, 
wherein: 

said steps of creating and removing are performed by an integrated identity 
and access system. 

28. One or more processor readable storage devices according to claim 22, 
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wherein: 



said entry is a group object; and 

said step of creating includes instantiating said group object. 



5 



29. 



One or more processor readable storage devices according to claim 28, 



wherein: 



said step of removing includes a step of removing one or more auxiliary 
classes from said group object, said one or more auxiliary classes are associated with 
said subset of said first set of attributes. 



30. One or more processor readable storage devices according to claim 29, 
wherein said step of removing one or more auxiliary classes from said group object 
includes the steps of: 

removing a first auxiliary class associated with said subset of said first set of 
15 attributes; and 

removing classes that are superior to said first auxiliary class and that are not 
superior to any auxiliary classes that remain part of said entry. 

3 1 . One or more processor readable storage devices according to claim 28, 
20 wherein said method further comprises the step of: 

adding new attributes to said entry after said step of creating, said step of 
adding new attributes includes adding one or more auxiliary classes associated with 
said new attributes to said entry. 

25 32. One or more processor readable storage devices according to claim 28, 



10 



wherein: 



said group object is stored in an LDAP directory. 



30 



33. 



An apparatus that can be used to manage Identity System entries, 



composing: 



a communication interface; and 
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one or more processors in communication with said communication interface, 
said one or more processors perform a method comprising the steps of: 

creating a first entry for said Identity System, said first entry includes a 
first set of attributes based on a first set of one or more classes, and 

removing a subset of said first set of attributes from said entry after 
said step of creating said first entry. 

34. An apparatus according to claim 33, wherein: 

said step of removing includes a step of removing one or more auxiliary 
classes from said entry, said one or more auxiliary classes are associated with said 
subset of said first set of attributes. 

35. An apparatus according to claim 34, wherein said step of removing one 
or more auxiliary classes from said entry includes the steps of: 

removing a first auxiliary class associated with said subset of said first set of 
attributes; and 

removing auxiliary classes that are superior to said first auxiliary class and that 
are not superior to any auxiliary classes that remain part of said entry. 

36. An apparatus according to claim 33, wherein said method further 
comprises the step of: 

adding new attributes to said entry after said step of creating, said step of 
adding new attributes includes adding one or more auxiliary classes associated with 
said new attributes to said entry. 

37. An apparatus according to claim 36, wherein said step of adding new 
attributes includes the steps of: 

adding one or more auxiliary classes associated with said new attributes to 
said entry; and 

adding auxiliary classes to said entry that are not already part of said entry and 
are superior to said one or more auxiliary classes associated with said new attributes. 
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38. An apparatus according to claim 33, wherein: 

said steps of creating and removing are performed by an integrated identity 
and access system. 

5 39. An apparatus according to claim 33, wherein: 

said entry is a group object; and 

said step of creating includes instantiating said group object. 

40. An apparatus according to claim 39, wherein: 

10 said step of removing includes a step of removing one or more auxiliary 

classes from said group object, said one or more auxiliary classes are associated with 
said subset of said first set of attributes. 

41 . An apparatus according to claim 40 wherein said step of removing one 
15 or more auxiliary classes from said group object includes the steps of: 

removing a first auxiliary class associated with said subset of said first set of 
attributes; and 

removing auxiliary classes that are superior to said first auxiliary class and that 
are not superior to any auxiliary classes that remain part of said entry. 

20 

42. An apparatus according to claim 39, wherein said method further 
comprises the step of: 

adding new attributes to said entry after said step of creating, said step of 
adding new attributes includes adding one or more auxiliary classes associated with 
25 said new attributes to said entry. 

43. An apparatus according to claim 39, wherein said group object is 
stored in an LDAP directory. 
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